Best practices guide recommends using Silent Audit profile on new client machines. It suggests "After using the Silent Audit policy for a day or two, you can create overrides to address unknowns and work with support to correct any false positives you may have encountered."
In the "Addressing Unknowns" it appears to be re-active guidance to use the report to see if the program on a host is in the unknown list. And then how to create overrides from the report.
Is it possible to use the report pro-actively to create overrides? If not are there other tools that could do this?
Is dwell time significant? Given two program with same first seen and same last seen but different dwell times, does it suggest one is monitored more frequently? Does it indicate how long the file was in a monitoring state (i.e. a long dwell time suggesting program is alway active and a shorter dwell time suggesting how long the last monitoring event ran)?
Thanks,
Greg
Be the first to reply!
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.